Fortinet black logo

New Features

Home FortiManager 6.4.0 New Features

New SD-WAN zone with support for virtual-wan-link and FortiOS 6.4.1

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.7
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID b5bbfe47-438c-11ea-9384-00505692583a:318104
Download PDF

New SD-WAN zone with support for virtual-wan-link and FortiOS 6.4.1

FortiManager 6.4.1 and later supports SD-WAN zones and the virtual-wan-link option available in FortiOS 6.4.1 and later. Each SD-WAN interface member is assigned to a zone. The default zone is named virtual-wan-link.

With the implementation of SD-WAN zones, you can no longer select SD-WAN interface members in policies. Instead you must select zones in policies.

Note

After upgrading to FortiManager 6.4.1, an SD-WAN zone named upg-zone-<interface-name> is automatically created for each interface member, and affected policies are automatically updated.

When central management is enabled for SD-WAN in FortiManager, a normalized interface is automatically created when you create an SD-WAN zone.

When you import an SD-WAN zone to FortiManager, FortiManager automatically creates a normalized interface and adds per-device mappings.

This topic includes the following sections:

Per-device management

When per-device management is enabled in FortiManager, the default SD-WAN zone is named virtual-wan-link.

You can create an SD-WAN interface member and an SD-WAN zone:

To create an SD-WAN zone:
  1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

    The SD-WAN configurations are displayed in the content pane.

  2. Double-click a configuration to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Zone.

    The Create New SD-WAN Zone dialog box is displayed.

  4. In the Name box, type a name for the zone.
  5. Click the Interface Members box.

    The list of interfaces is displayed.

  6. Select the interfaces to be members of the zone, and click OK.
  7. Click OK to finish creating the zone.
To create an SD-WAN interface member:
  1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

    The SD-WAN configurations are displayed in the content pane.

  2. Double-click a configuration to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Member.

    The Create New SD-WAN Interface Member dialog box is displayed.

  4. Click the Interface Members box, and select an interface.
  5. In the SD-WAN Zone box, select a zone.
  6. Click OK.

    The interface is added to the zone.

Central management

When central management is enabled, the default SD-WAN zone is named virtual-wan-link.

You can create an SD-WAN member and an SD-WAN zone:

To create an SD-WAN zone:
  1. In an ADOM with central management enabled, go to Device Manager > SD-WAN > SD-WAN Templates.

    The templates are displayed in the content screen.

  2. Double-click a template to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Zone.
  4. In the Name box, type a name for the zone, such as vpn-zone.
  5. Click the Interface Members box.

    The list of interfaces is displayed.

  6. Select the interfaces to be members of the zone, and click OK.
  7. Click OK to finish creating the zone.

    In the following example, the zone named vpn-zone is created in addition to the default zone named virtual-wan-link.

To create an SD-WAN interface member:
  1. In an ADOM with central management enabled, go to Device Manager > SD-WAN.

    The templates are displayed in the content screen.

  2. Double-click a template to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Member.

    The Create New SD-WAN Interface Member dialog box is displayed.

  4. Create a new SD-WAN interface:
    1. In the Interface Member list, click the + icon.

      The Create New WAN Interface dialog box is displayed.

    2. In the Name box, type a name for the interface.
    3. In the Normalized Interface, select an interface.
    4. Complete the remaining options, and click OK.

      The SD-WAN interface is created.

  5. In the SD-WAN Zone box, select the zone.
  6. Click OK.

    The interface is added to the zone.

Zones and interface members

You can select SD-WAN zones as source and destination interfaces in firewall policies. You cannot select interface members of SD-WAN zones in firewall policies.

The SD-WAN interface (virtual-wan-link) used in policies is replaced by SD-WAN zones.

To view zones and interface members:
  1. Go to Policy & Objects > Object Configuration > Normalized Interface.

    The Normalized Interface column displays the name of the interface, and the Mapped Interface/Zone column displays the name of the zone.

Zones in firewall policies

To use a zone in a firewall policy:
  1. Go to Policy & Objects > Policy Packages > Firewall Policy.
  2. In the content pane, click Create New.

    The Create New Firewall Policy pane is displayed.

  3. Click the Incoming Interface box, and select a zone.

  4. Click the Outgoing Interface box, and select a zone.
  5. Set the remaining options, and click OK.

SD-WAN interface members after upgrade

Before FortiManager 6.4.1, you could use SD-WAN interface members directly in a policy. After upgrading to FortiManager 6.4.1, SD-WAN interface members are automatically upgraded to zones. Upgraded SD-WAN members are named upg-zone-<interface-name>, and they replace interfaces in policies.

To view SD-WAN members after upgrade:
  1. Go to Device Manager > SD-WAN > SD-WAN Templates.
  2. Double-click a template to open it for editing.

    The upgraded SD-WAN members are displayed.

To view upgraded SD-WAN members in policies:
  1. Go to Policy & Objects > Policy Packages > Firewall Policy.

    The upgraded SD-WAN members are displayed.

Previous
Next

New SD-WAN zone with support for virtual-wan-link and FortiOS 6.4.1

FortiManager 6.4.1 and later supports SD-WAN zones and the virtual-wan-link option available in FortiOS 6.4.1 and later. Each SD-WAN interface member is assigned to a zone. The default zone is named virtual-wan-link.

With the implementation of SD-WAN zones, you can no longer select SD-WAN interface members in policies. Instead you must select zones in policies.

Note

After upgrading to FortiManager 6.4.1, an SD-WAN zone named upg-zone-<interface-name> is automatically created for each interface member, and affected policies are automatically updated.

When central management is enabled for SD-WAN in FortiManager, a normalized interface is automatically created when you create an SD-WAN zone.

When you import an SD-WAN zone to FortiManager, FortiManager automatically creates a normalized interface and adds per-device mappings.

This topic includes the following sections:

Per-device management

When per-device management is enabled in FortiManager, the default SD-WAN zone is named virtual-wan-link.

You can create an SD-WAN interface member and an SD-WAN zone:

To create an SD-WAN zone:
  1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

    The SD-WAN configurations are displayed in the content pane.

  2. Double-click a configuration to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Zone.

    The Create New SD-WAN Zone dialog box is displayed.

  4. In the Name box, type a name for the zone.
  5. Click the Interface Members box.

    The list of interfaces is displayed.

  6. Select the interfaces to be members of the zone, and click OK.
  7. Click OK to finish creating the zone.
To create an SD-WAN interface member:
  1. In an ADOM with per-device management enabled, go to Device Manager > SD-WAN > SD-WAN.

    The SD-WAN configurations are displayed in the content pane.

  2. Double-click a configuration to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Member.

    The Create New SD-WAN Interface Member dialog box is displayed.

  4. Click the Interface Members box, and select an interface.
  5. In the SD-WAN Zone box, select a zone.
  6. Click OK.

    The interface is added to the zone.

Central management

When central management is enabled, the default SD-WAN zone is named virtual-wan-link.

You can create an SD-WAN member and an SD-WAN zone:

To create an SD-WAN zone:
  1. In an ADOM with central management enabled, go to Device Manager > SD-WAN > SD-WAN Templates.

    The templates are displayed in the content screen.

  2. Double-click a template to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Zone.
  4. In the Name box, type a name for the zone, such as vpn-zone.
  5. Click the Interface Members box.

    The list of interfaces is displayed.

  6. Select the interfaces to be members of the zone, and click OK.
  7. Click OK to finish creating the zone.

    In the following example, the zone named vpn-zone is created in addition to the default zone named virtual-wan-link.

To create an SD-WAN interface member:
  1. In an ADOM with central management enabled, go to Device Manager > SD-WAN.

    The templates are displayed in the content screen.

  2. Double-click a template to open it for editing, or click Create New.

    The SD-WAN settings are displayed.

  3. In the Interface Members section, click Create New > SD-WAN Member.

    The Create New SD-WAN Interface Member dialog box is displayed.

  4. Create a new SD-WAN interface:
    1. In the Interface Member list, click the + icon.

      The Create New WAN Interface dialog box is displayed.

    2. In the Name box, type a name for the interface.
    3. In the Normalized Interface, select an interface.
    4. Complete the remaining options, and click OK.

      The SD-WAN interface is created.

  5. In the SD-WAN Zone box, select the zone.
  6. Click OK.

    The interface is added to the zone.

Zones and interface members

You can select SD-WAN zones as source and destination interfaces in firewall policies. You cannot select interface members of SD-WAN zones in firewall policies.

The SD-WAN interface (virtual-wan-link) used in policies is replaced by SD-WAN zones.

To view zones and interface members:
  1. Go to Policy & Objects > Object Configuration > Normalized Interface.

    The Normalized Interface column displays the name of the interface, and the Mapped Interface/Zone column displays the name of the zone.

Zones in firewall policies

To use a zone in a firewall policy:
  1. Go to Policy & Objects > Policy Packages > Firewall Policy.
  2. In the content pane, click Create New.

    The Create New Firewall Policy pane is displayed.

  3. Click the Incoming Interface box, and select a zone.

  4. Click the Outgoing Interface box, and select a zone.
  5. Set the remaining options, and click OK.

SD-WAN interface members after upgrade

Before FortiManager 6.4.1, you could use SD-WAN interface members directly in a policy. After upgrading to FortiManager 6.4.1, SD-WAN interface members are automatically upgraded to zones. Upgraded SD-WAN members are named upg-zone-<interface-name>, and they replace interfaces in policies.

To view SD-WAN members after upgrade:
  1. Go to Device Manager > SD-WAN > SD-WAN Templates.
  2. Double-click a template to open it for editing.

    The upgraded SD-WAN members are displayed.

To view upgraded SD-WAN members in policies:
  1. Go to Policy & Objects > Policy Packages > Firewall Policy.

    The upgraded SD-WAN members are displayed.

Previous
Next